From patchwork Tue Nov  1 15:52:38 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Brijesh Singh <brijesh.singh@amd.com>
X-Patchwork-Id: 689987
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3t7bW501Vdz9sD6
	for <incoming@patchwork.ozlabs.org>;
	Wed,  2 Nov 2016 02:58:41 +1100 (AEDT)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=amdcloud.onmicrosoft.com
	header.i=@amdcloud.onmicrosoft.com header.b=vly4rXTV;
	dkim-atps=neutral
Received: from localhost ([::1]:48869 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)
	id 1c1bSQ-0001Lo-9E
	for incoming@patchwork.ozlabs.org; Tue, 01 Nov 2016 11:58:38 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:57221)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <brijesh.singh@amd.com>) id 1c1bMr-0004ud-MI
	for qemu-devel@nongnu.org; Tue, 01 Nov 2016 11:52:55 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <brijesh.singh@amd.com>) id 1c1bMm-0003e3-QP
	for qemu-devel@nongnu.org; Tue, 01 Nov 2016 11:52:53 -0400
Received: from mail-by2nam03on0044.outbound.protection.outlook.com
	([104.47.42.44]:43787
	helo=NAM03-BY2-obe.outbound.protection.outlook.com)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <brijesh.singh@amd.com>)
	id 1c1bMm-0003ds-Gg
	for qemu-devel@nongnu.org; Tue, 01 Nov 2016 11:52:48 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=amdcloud.onmicrosoft.com; s=selector1-amd-com;
	h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
	bh=vp5DA38VEnOhQa9KGC2P9x8380EUri8QEmJGMjBOz4g=;
	b=vly4rXTVtcWi2xH7H361w7bFBpfMXX3zAJVHBi+eo1x1BQA5um7HKqL7MTlqmuD0eSzmt3ZuXG18SVUra54ZFVGxOpAtwDycuI4BJCY1hxcP+Fmr3lTg4uXtGtGpX6lweApPTYssnAe1D8A4VE3detHsAxk4NNCqDLSyBZ4jz7U=
Authentication-Results: spf=none (sender IP is )
	smtp.mailfrom=brijesh.singh@amd.com;
Received: from [127.0.1.1] (165.204.77.1) by
	BY2PR12MB0664.namprd12.prod.outlook.com (10.163.113.153) with
	Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
	15.1.693.12; Tue, 1 Nov 2016 15:52:43 +0000
From: Brijesh Singh <brijesh.singh@amd.com>
To: <Thomas.Lendacky@amd.com>, <ehabkost@redhat.com>,
	<crosthwaite.peter@gmail.com>, <armbru@redhat.com>, <mst@redhat.com>,
	<p.fedin@samsung.com>, <qemu-devel@nongnu.org>,
	<lcapitulino@redhat.com>, <pbonzini@redhat.com>, <rth@twiddle.net>
Date: Tue, 1 Nov 2016 11:52:38 -0400
Message-ID: 
 <147801555852.18237.3410880116283500791.stgit@brijesh-build-machine>
In-Reply-To: 
 <147801550845.18237.12915616525154608660.stgit@brijesh-build-machine>
References: 
 <147801550845.18237.12915616525154608660.stgit@brijesh-build-machine>
User-Agent: StGit/0.17.1-dirty
MIME-Version: 1.0
X-Originating-IP: [165.204.77.1]
X-ClientProxiedBy: BN6PR17CA0042.namprd17.prod.outlook.com (10.175.189.28) To
	BY2PR12MB0664.namprd12.prod.outlook.com (10.163.113.153)
X-MS-Office365-Filtering-Correlation-Id: 3b8adf20-571c-4094-855a-08d4026f1f10
X-Microsoft-Exchange-Diagnostics: 1; BY2PR12MB0664;
	2:nxIVNH9HwMkczchV7JG5nXaXuAwVtyM7gsE2s/nVxlRdEGRb25fuIDvcL/Mn165ISRF60F6o/Op2ovc1qqVPn3dzSriGvCLM8/1waRNdDdc2WLiGHJFyMbrymsHJu8jjkkIaOJ2TP/PbV7e7ngUk7zyEAViXXaPB2y8kh5HPx3kpT19uKUqobTexdTpzzrvaOhof0keJhZKtsX7IQJJt8w==;
	3:CLtjdaAK3b5Sz5QnubKgbkmUwZ6IqP8rVf51ms3kitfdi1ud9No9fs+Qk0OS3G8+i9tBgi9QRrUVUAKvGvEWD17Fpqj89tfFJySsh1KgxTCyBexq3k7rzbLj2f2z+bZInqSOj59CqEQ5T01m9Q1QOQ==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR12MB0664;
X-Microsoft-Exchange-Diagnostics: 1; BY2PR12MB0664;
	25:Z3C2wBqhKjWvkXdK+6RkPDI0G6H3ShCBPycCeG/uxvlYaaAT/ES8zoVO199EKEPOVarhyqZfMUZHVVwX7be+EZUX5K1LLxlw2pJKZFKEZGVBiCM/Ua7BnX/109WMLJfKhp9q0J7r91yAA4giZaRLpBuUMr0UhHpw5UcXVpPvkq4TeCQYCgVnWoyLbYgY2M9j+sgDmiUIZ4r/Od3UsnVE4Wd/NbPRjHRB+oE0V4auUlrKlsX8XZ57ccJVYeHNhXAJPONcejcb7DFZlDdsi+E7E60M3Y5qgEmy6sXIH6U/vrpitKk/Zvtj96zxPcp4wzRBTkP3YvL0NhAPk+mV6tdxxD5QIOiSo5Wu8y17uqxUhxv6wR6TFws5dwgfBZkpV4xQ3QhSSEYJ6jsFz/RVkXXpgSODtNFEqDAF1gHkYFl+PuEq86EX66z1L0Ed7O+huu4Wt7zTUwNS6b/ihJSr7Kqm2WofwPvG3G0LDhqJMLa7LI2siKGDZHWnsmTHSZua5dPwH0zgSUgaef0ZGmcMnaIQ869/s6GMKnAyIh0SFSvgoomJwk/j69RTSIO+YjeyF7MR/qQORaQ5qFq/s7UUSKxxibDfw9r4Lb4K2ndXl2zrK/e/RjYxFe+sx7hxbetJS64S7CeHoaFwYQxEz7MCapGT5i26NvCEZmtKVEgZzIeYHD5sCHbDq2NsvjK2gdeZIWqpJ2U46lxF0KGXAUKHoEvDgLgRFsW5gSp47pQe+nAcd4ZnO/Yx5RBelmo7+OfwJyax3Br0sAY7JmmIeAXe3we67Szphe/kpWyqAr8gSySBaqUD+aqjuh5SMrLaLN9lOD0LkbUNaf5L9yvU/BiPS4vBzA==
X-Microsoft-Exchange-Diagnostics: 1; BY2PR12MB0664;
	31:SdjFiqn0ZQwHx1ajuBlxPe66CzZS3lvGnWTfmw2HdljwgPT5uZfrj7mXtiWEyeIKhvr0OWGzsBF2pCeyIAyCx3vD4XHyS6w1mW7VWHXJYGbT72Pq7rO5WjAdD1xqbdHDP0SgrDXD/UspAMuIj9DZ5hBlw1P2M1bnBQ6a3Iwc5Fzc5t6GRzIuK0mipe+GzJLHTG0orFo5EiWB5TwX40/bI03XJYbIK4bBFlkyQLtfI03Pu+7FYdSZUavCq6gId2VV;
	20:wb73IAO/dBc/1+GltOLb3PxhnS+d1tMoEOzItjMe4PoexIabCEu4Pvtk1qmRFYTVbAcDLpV7pjl9GKNmH29PYU7hb8uzW/Bp8x6frxZWKt8PHPqQhJQvvQJlgS0qSUUpUKPS8adadjV285rqovqh9IXHK8bfgs1aShZRjGpAfko60PYf024LQU+m/qwt0Ksjzy3hUh0rgXxiy8hoE/TXesX9TmiAjnmtDhNDKiqglg0hwp1gRiCFPT2MlFI+0bZ6PmuvthRjdZV6+9vvWbaIVzlo8SSBO5r5gsAMKkYEPnQzZdA0Qn4kVZsKExKoThl74V3HiaaT5p+6ryd51BHQi8WrB/ki9gsVqmQpoHdhtNnrhNEHpDHPVtIozqr/TE3ByUgoa5eWzrLTa3kaTgg8HNDZ+BOCguTL7/QMoYIPNro5Y8p9Z7W2la/eRAXPdBLtp8E3Vy8ZYtcrV9ATvNtjx0WJUrXcqETWfdw9vHLab0lSCIHFPv9d6ovJbxXB5D98
X-Microsoft-Antispam-PRVS: 
 <BY2PR12MB0664E52C2B23DA51B35145B7E5A10@BY2PR12MB0664.namprd12.prod.outlook.com>
X-Exchange-Antispam-Report-Test: 
 UriScan:(250305191791016)(22074186197030)(192374486261705)(767451399110);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0;
	RULEID:(6040176)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026);
	SRVR:BY2PR12MB0664; BCL:0; PCL:0; RULEID:; SRVR:BY2PR12MB0664;
X-Microsoft-Exchange-Diagnostics: 1; BY2PR12MB0664;
	4:qqp4Ri+764JnMyx5dd9drelW8abPWFd7/+bwFcp/9M7GVgkBDR9u7TD4+aHuNumrkTIGw5IKk868Y7t5yy0sfZ8yw75pMx1OGJfV+tUJwIxeLGmGKkKxYKfENGaq6nQmxiZZ/j0oUu7tpOWEZBhDyeq6Uqxh7SxWIQC6bWL9I2nJkfHRilhkMZ2BtDHsQrvGjv9O2dI1cehrEW0qzs5sYe9mHGrZ6l3uwLsA6v8Cm6fq7Va/+J/15lQtkyMKNrOz2Ksd2hiSIkzWWZFsbraQ/BRBNu7WHN/reUkxiJrG9vJfLdHDeuc1+DrqryPdfEY+RBINK07AxoDdRUtVNpcAB+vzZ9pIqWsOHL7t5y/w69r2GzgKyTp8EP48AUwytxMbMCEnd5YrzoYf8JnqUlFL5VkDX71JwQKCJWZtQWGMMhy/hQWI1CwTZnxA6SRt9rKNbUX9nZkXv2FNPROOirAbAUpJWciVuRSMLAUDRGL6RVZLe9lGWer9C3HscOu7x9FD822Y1RI+uH3QPyUwLY+qHsL3IO9JO8BzxlRrQokMdrfVf8+NpEBzTWx7ESfD+nVq
X-Forefront-PRVS: 01136D2D90
X-Forefront-Antispam-Report: SFV:NSPM;
	SFS:(10009020)(4630300001)(6009001)(6049001)(7916002)(189002)(199003)(15404003)(81156014)(305945005)(81166006)(7416002)(6116002)(3846002)(101416001)(6666003)(15650500001)(47776003)(2950100002)(33716001)(50986999)(76176999)(54356999)(8676002)(230700001)(106356001)(2420400007)(105586002)(42186005)(15975445007)(86362001)(97736004)(575784001)(5001770100001)(586003)(77096005)(2201001)(19580405001)(19580395003)(229853001)(4326007)(189998001)(66066001)(7846002)(50466002)(4001350100001)(33646002)(103116003)(83506001)(2906002)(7110500001)(5660300001)(92566002)(23676002)(9686002)(68736007)(10710500007)(7736002)(21314002)(2004002)(921003)(217873001)(1121003);
	DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR12MB0664; H:[127.0.1.1];
	FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Received-SPF: None (protection.outlook.com: amd.com does not designate
	permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 
 =?utf-8?B?MTtCWTJQUjEyTUIwNjY0OzIzOkhzekwzQkJtTWg3ZFZMcFZZdWp4eGRHMGxE?=
	=?utf-8?B?SEkvRk5LL0lNQ0kreHN3M1ZRY09HT1hmcW43R2V4ekU0T0ZiZko2eVpZRndU?=
	=?utf-8?B?Y2ZqaGpMb0hYWEZxYmNYeVdBM2xZZjEzQUFGdmFPYk5XYksyNFNBRkJGVWtZ?=
	=?utf-8?B?UE93TFhpWTY0NlpqNzhZVmxEVjRXWE9venpxSWZWc0VaRWN5czZPeENWZ1No?=
	=?utf-8?B?aDBLbzJoaFVHS2NsNWVxd0pxaGxlUTM2WU1STXU2VU1qYkNYeG8rVEVaQUVP?=
	=?utf-8?B?YU1GOEZjNmxqamdDcHhFZk8wTnpaR0pQV0YreC82TkMvVGVnbDYxcEhtcDlU?=
	=?utf-8?B?YmZFU2tRZ3VVb0Y2ZmNicDdzS1l0RUtNcGNXOE0xeG50OXp6WVBSR0VNV3Ix?=
	=?utf-8?B?NDhLN0wxeTlGSWt6OXJwU0k1Qm1iTmVZYXdVNDRLNmlYcFNWMWJLcEFaaURx?=
	=?utf-8?B?ZkNLYk1lTUZwUmFmK01LaGJFeXhFZWVVd1lxMjNpbTNLWDIzTmlMbEVId2ZN?=
	=?utf-8?B?cUJqN3NBQUlLdE9jcjdTdEoyaXBnSFE1WG1tNE5sc1FDbE40Qi92M2lkOFA4?=
	=?utf-8?B?NVhSWmZMTm9nemcxOHl5WmFoL2Z3Z281cDh1WTRaY2hmRXNaTkNaSzFJMW8z?=
	=?utf-8?B?ZWgwRWI3TUtaTmR6cmxQWmRtM2VUcWlSNWhvbzNVekE3UkxuOWxVTVREYjRD?=
	=?utf-8?B?SmQxWkMxeXQ5blozUHVhTkcxMVIwTDQ3WVRRRFlBTmlEVVRwQ0Y0M1BKd01u?=
	=?utf-8?B?ZWtBSU12eDE4cXBDYVc5SkVCNU95dm81UC9EVmw3SndGeTl6SDZDTUI5dUYx?=
	=?utf-8?B?TEllc0lBVEFLNEVpZ0ZUMDlzSUQvWUhBN3dKWnVJdFNVaml0amcvdlRUTGhu?=
	=?utf-8?B?MDJVNW1yV0tPWXR0U1VTY3JvcGM2Ylk4TVBMUEtwVFpNM3h0em9aTEpiemc1?=
	=?utf-8?B?ZW9Dc3RDSFkwbWl1M1pkUDhtakRtb2JqdytXM2NSMDZOanE2NjJkUGRJeVlC?=
	=?utf-8?B?QnFGT0RzSUJ6bHJQRTJ4b0hSQ1JaYW5odWNNUDcyc3JiK0xLM2lBNUhBSUhC?=
	=?utf-8?B?eHEvOTFyc3dJSTFJM2cxU3hqYm9MRytURGhrTjBNa1l0SHBNaGVnS3U3Y0JL?=
	=?utf-8?B?eWdCbzJXeHc3MDFOY1F3RnJhdzdKTWVwdElvNHlDdUpST2dqc2lNSlJLOVcv?=
	=?utf-8?B?Z0pFN2F1bEJ4eUR2VkxnV20xNzNtWmMvdWpIMk15Z1BkMk9iUTMybnZDTzFz?=
	=?utf-8?B?d2JHTkF4cTV2Ky8vdGRNM2NRTGpHeHFTSjZITE9PNkF0d2xiNlR6UDRNdHor?=
	=?utf-8?B?NGJjRWE2cTZocGNFS1FVZFRjZzZqcytwMXZjcEN3aTZtcm55RGw1anc2NnVz?=
	=?utf-8?B?K0NhZXZnNld5S0dUY3ZjZWNBZGxXdWRKYWdVWTFEQ1FkckJxdzhLcmMrUDRs?=
	=?utf-8?B?SjZVaEYyZk96MGhwcGNpZ0xHRHV2NUxmT2toamYyVksraWJ2Sk0ya1hXWWFn?=
	=?utf-8?B?cHJvT1NXa2MrYVo0T3hsd3RVYmxhanpwTkY5RzhYWHpPY09xYStURFAxTjhC?=
	=?utf-8?B?b3k2WFpjcDY4RG5aMnZEVDZLenN1elhOTWxNTkViM2ZieHNGV3VwZnhtWnZS?=
	=?utf-8?B?WHVaSTllNzFHV2dZeXZiK2lWZ3NSaWErcHlZZ05LZHNDZHVBd3dXdTFrUFhs?=
	=?utf-8?B?ejIyTGdXdmdFL2xMbkxQd3lPcVdKOWl1dGpOc1lXYUZVUXQ0Z0hGZHcyZHBr?=
	=?utf-8?B?K1VVWWhubkthYkk0c2NxbHRoMEhDa2FFVklFa2REUmEvYUh0b05pRU9rcDhE?=
	=?utf-8?B?cklkSXBMbktTTll3S0pReE94OEhIT1N3ODdWaXo2YytJOTRrK1lscHNEQXFl?=
	=?utf-8?B?Q3lWb2I4bWJjRlRDWTZJQ3ZnQldwRXl4c1JzTmJjQUNYUUxOaTd3T05pbGpV?=
	=?utf-8?B?TmpKVXZhZ0haVGxNM2lFLzlibHBxcVJYSDVlR0JoYUlMVStuSE5ma1VCWUox?=
	=?utf-8?B?L1U2TDBjVjhEWU1qaUpTbHNHZndMOVdiWm5xMjlML3FveEJzaTcwT1N1cWpN?=
	=?utf-8?Q?i5IZdEJnvEoXzdl2ppyZ+zyu3?=
X-Microsoft-Exchange-Diagnostics: 1; BY2PR12MB0664;
	6:lbAgmbyfWFHrE5rhW3Jx+x11VflSXkFYuQ6nYaL4zY+gxrsD7n0xxZP0Xr9anMv/VUyDKA9HTequ272FnP2iPyb3QRtPMRAJpm74IkkaFeihcGwP1OKjlqU6gfDNVyThJg7al6iSbPgXKryVXEf+nTMtY9CJ4iaEndvq3dedaida30tm2AIbRVN4YwzxL2duLXdq2w2IuqJFyHaq1m+jT81hxcuLYpEA8Fdj493UtGsWrrLs6w5cjhCCL8ozei6w9fnTzqn/POW3vK/nLt6FwgeawhaqvmPXzxZ3ELl/F47Ky75PiciQy2a/Mo4KWIHJWNLP9q4WMzQhFVwT8pySZhSuZ6kv4DgGBXu+CDkhnQw=;
	5:Gnahy8ICqAUuFB/VFGGky0YJEO9nb0gKSq4TBVrYr+uXLQZ55Cyrr4wB2oqkMbKy1fWwE8d7C2y0hGT6AsnvC97eQjLmvftlf5K2criN0rUhWc78zqP2paXHM3YKuQxUT1WuJIYiomtTncUkO0zpYw==;
	24:e5TpP46N1xWftl7vEdnOt4FxllAC4BMZWx3aqXEqbsmCK7H7ejpN0ezKA8mlHMC+Imnp3m8CRzFFHJtUFnZMnw8dbLLa95uOytput2mV62U=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; BY2PR12MB0664;
	7:gszPHxu3hrYQPiDMNNA+tjg59CCIMKQBUE6UyxMZiMooi7lK01VeUXBAUxps23beJ4+ZeL7xokIjiDibwTgT9Ia1dU+9Hq1YHR0u3TeMN0/FrlfOyE9Z0WR7coCjTkbeuh6slpCtmox9BfrY3dxShRaUB8MG2FPFU9N3gvUrGPcVE8b0VHW9Hqii1GGUA8oIBmixm3j7a6x6mxPVSlbWTdqtHGGjXb9li9tqLBzbAVp3vQCcYzwYFqydJv73IBYlcwyDqxZ7t/kP/TUXg/j9F++hcVUeDNvWok9DtbobbbVPaLLVC0++lTswCBMbkPaKH408taVv8APXf8zTboyxGBXK+m0iy39nel9c90qpLdw=;
	20:e+4b+Jj0ne5TzCqbSBzJp0kt0UENrzv1bcwN/sQ/0VaJAm4EpFIzhQZxM5hHqo7HlGW6Bxer4pCcTs8HQi3wdsvQEbqAoi/NjmIcSlPekDZg37kRBZW9H3XI25rF+d7HOHGAiaIlMzEBjziaiVFNa3coMDQiLXB1r83nu3iQHPDBvXFrXEBNXAigGbHvjP/SKgyTptQ2DHhN1ZNi6wHmnH7Ko1BlREuBvhzA8fXtbyNdp16EJQ12h0fX4NHrZ3m/
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Nov 2016 15:52:43.7512
	(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR12MB0664
X-detected-operating-system: by eggs.gnu.org: Windows 7 or 8 [fuzzy]
X-Received-From: 104.47.42.44
Subject: [Qemu-devel] [RFC PATCH v3 05/18] core: add new security-policy
	object
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: brijesh.ksingh@gmail.com
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

The object can be used to define global security policy for the guest.

object provides two properties:

 1) debug: can be used to disable guest memory access from hypervisor.

   e.g to disable guest memory debug from qemu monitor

    # $QEMU \
          -object security-policy,debug=false,id=mypolicy \
          -machine ...,security-policy=mypolicy

 2) memory-encryption: if guest supports memory encryption then property
    should be set to memory encryption object id.

    # $QEMU \
        -object sev-guest,id=sev0 \
        -object security-policy,id=memory-encryption=sev0,id=mypolicy \
        -machine ...,security-policy=mypolicy

Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
---
 exec.c                           |    7 ++
 hw/core/Makefile.objs            |    1 
 hw/core/machine.c                |   22 +++++
 hw/core/security-policy.c        |  166 ++++++++++++++++++++++++++++++++++++++
 include/hw/boards.h              |    1 
 include/sysemu/security-policy.h |   75 +++++++++++++++++
 qemu-options.hx                  |   21 +++++
 7 files changed, 293 insertions(+)
 create mode 100644 hw/core/security-policy.c
 create mode 100644 include/sysemu/security-policy.h

diff --git a/exec.c b/exec.c
index 4022e13..e9ed975 100644
--- a/exec.c
+++ b/exec.c
@@ -42,6 +42,7 @@
 #include "exec/memory.h"
 #include "exec/ioport.h"
 #include "sysemu/dma.h"
+#include "sysemu/security-policy.h"
 #include "exec/address-spaces.h"
 #include "sysemu/xen-mapcache.h"
 #include "trace.h"
@@ -2764,6 +2765,12 @@ static inline void cpu_physical_memory_rw_debug_internal(AddressSpace *as,
     hwaddr addr1;
     MemoryRegion *mr;
 
+    if (attrs.debug &&
+        !security_policy_debug_allowed(current_machine->security_policy)) {
+        fprintf(stderr, "WARNING: debug is disabled\n");
+        return;
+    }
+
     rcu_read_lock();
     while (len > 0) {
         l = len;
diff --git a/hw/core/Makefile.objs b/hw/core/Makefile.objs
index a4c94e5..7641dac 100644
--- a/hw/core/Makefile.objs
+++ b/hw/core/Makefile.objs
@@ -18,5 +18,6 @@ common-obj-$(CONFIG_SOFTMMU) += qdev-properties-system.o
 common-obj-$(CONFIG_SOFTMMU) += register.o
 common-obj-$(CONFIG_SOFTMMU) += or-irq.o
 common-obj-$(CONFIG_PLATFORM_BUS) += platform-bus.o
+common-obj-$(CONFIG_SOFTMMU) += security-policy.o
 
 obj-$(CONFIG_SOFTMMU) += generic-loader.o
diff --git a/hw/core/machine.c b/hw/core/machine.c
index b0fd91f..b23b931 100644
--- a/hw/core/machine.c
+++ b/hw/core/machine.c
@@ -332,6 +332,23 @@ static bool machine_get_enforce_config_section(Object *obj, Error **errp)
     return ms->enforce_config_section;
 }
 
+static char *machine_get_security_policy(Object *obj, Error **errp)
+{
+    MachineState *ms = MACHINE(obj);
+
+    return g_strdup(ms->security_policy);
+}
+
+static void machine_set_security_policy(Object *obj,
+                                        const char *value, Error **errp)
+{
+    MachineState *ms = MACHINE(obj);
+
+    g_free(ms->security_policy);
+    ms->security_policy = g_strdup(value);
+}
+
+
 static void error_on_sysbus_device(SysBusDevice *sbdev, void *opaque)
 {
     error_report("Option '-device %s' cannot be handled by this machine",
@@ -462,6 +479,11 @@ static void machine_class_init(ObjectClass *oc, void *data)
         &error_abort);
     object_class_property_set_description(oc, "enforce-config-section",
         "Set on to enforce configuration section migration", &error_abort);
+
+    object_class_property_add_str(oc, "security-policy",
+            machine_get_security_policy, machine_set_security_policy, NULL);
+    object_class_property_set_description(oc, "security-policy",
+            "Set the security policy for the machine", NULL);
 }
 
 static void machine_class_base_init(ObjectClass *oc, void *data)
diff --git a/hw/core/security-policy.c b/hw/core/security-policy.c
new file mode 100644
index 0000000..92689ff
--- /dev/null
+++ b/hw/core/security-policy.c
@@ -0,0 +1,166 @@
+/*
+ * QEMU security policy support
+ *
+ * Copyright (c) 2016 Advanced Micro Devices
+ *
+ * Author:
+ *      Brijesh Singh <brijesh.singh@amd.com>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "qom/object_interfaces.h"
+#include "qemu/base64.h"
+#include "trace.h"
+
+#include "sysemu/security-policy.h"
+
+static SecurityPolicy *
+find_security_policy_obj(const char *name)
+{
+    Object *obj;
+    SecurityPolicy *policy;
+
+    if (!name) {
+        return NULL;
+    }
+
+    obj = object_resolve_path_component(
+        object_get_objects_root(), name);
+    if (!obj) {
+        return NULL;
+    }
+
+    policy = (SecurityPolicy *)
+        object_dynamic_cast(obj,
+                            TYPE_SECURITY_POLICY);
+    if (!policy) {
+        return NULL;
+    }
+
+    return policy;
+}
+
+bool
+security_policy_debug_allowed(const char *secure_policy_id)
+{
+    SecurityPolicy *policy = find_security_policy_obj(secure_policy_id);
+
+    /* if id is not a valid security policy then we return true */
+    return policy ? policy->debug : true;
+}
+
+char *
+security_policy_get_memory_encryption_id(const char *secure_policy_id)
+{
+    SecurityPolicy *policy = find_security_policy_obj(secure_policy_id);
+
+    return policy ? g_strdup(policy->memory_encryption) : NULL;
+}
+
+static bool
+security_policy_prop_get_debug(Object *obj,
+                               Error **errp G_GNUC_UNUSED)
+{
+    SecurityPolicy *policy = SECURITY_POLICY(obj);
+
+    return policy->debug;
+}
+
+
+static void
+security_policy_prop_set_debug(Object *obj,
+                               bool value,
+                               Error **errp G_GNUC_UNUSED)
+{
+    SecurityPolicy *policy = SECURITY_POLICY(obj);
+
+    policy->debug = value;
+}
+
+static char *
+sev_launch_get_memory_encryption(Object *obj, Error **errp)
+{
+    SecurityPolicy *policy = SECURITY_POLICY(obj);
+
+    return g_strdup(policy->memory_encryption);
+}
+
+static void
+sev_launch_set_memory_encryption(Object *obj, const char *value,
+                                 Error **errp)
+{
+    SecurityPolicy *policy = SECURITY_POLICY(obj);
+
+    policy->memory_encryption = g_strdup(value);
+}
+
+static void
+security_policy_init(Object *obj)
+{
+    SecurityPolicy *policy = SECURITY_POLICY(obj);
+
+    policy->debug = true;
+}
+
+static void
+security_policy_finalize(Object *obj)
+{
+}
+
+static void
+security_policy_class_init(ObjectClass *oc, void *data)
+{
+    object_class_property_add_bool(oc, "debug",
+                                   security_policy_prop_get_debug,
+                                   security_policy_prop_set_debug,
+                                   NULL);
+    object_class_property_set_description(oc, "debug",
+            "Set on/off if debugging is allowed on this guest (default on)",
+            NULL);
+    object_class_property_add_str(oc, "memory-encryption",
+                                  sev_launch_get_memory_encryption,
+                                  sev_launch_set_memory_encryption,
+                                  NULL);
+    object_class_property_set_description(oc, "memory-encryption",
+            "Set memory encryption object id (if supported by hardware)",
+            NULL);
+}
+
+static const TypeInfo security_policy_info = {
+    .parent = TYPE_OBJECT,
+    .name = TYPE_SECURITY_POLICY,
+    .instance_size = sizeof(SecurityPolicy),
+    .instance_init = security_policy_init,
+    .instance_finalize = security_policy_finalize,
+    .class_size = sizeof(SecurityPolicyClass),
+    .class_init = security_policy_class_init,
+    .interfaces = (InterfaceInfo[]) {
+        { TYPE_USER_CREATABLE },
+        { }
+    }
+};
+
+
+static void
+security_policy_register_types(void)
+{
+    type_register_static(&security_policy_info);
+}
+
+
+type_init(security_policy_register_types);
diff --git a/include/hw/boards.h b/include/hw/boards.h
index a51da9c..de1a412 100644
--- a/include/hw/boards.h
+++ b/include/hw/boards.h
@@ -150,6 +150,7 @@ struct MachineState {
     /*< public >*/
 
     char *accel;
+    char *security_policy;
     bool kernel_irqchip_allowed;
     bool kernel_irqchip_required;
     bool kernel_irqchip_split;
diff --git a/include/sysemu/security-policy.h b/include/sysemu/security-policy.h
new file mode 100644
index 0000000..6d3789d
--- /dev/null
+++ b/include/sysemu/security-policy.h
@@ -0,0 +1,75 @@
+/*
+ * QEMU security policy support
+ *
+ * Copyright (c) 2016 Advanced Micro Devices
+ *
+ * Author:
+ *      Brijesh Singh <brijesh.singh@amd.com>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifndef SECURITY_POLICY_H
+#define SECURITY_POLICY_H
+
+#include "qom/object.h"
+
+#define TYPE_SECURITY_POLICY "security-policy"
+#define SECURITY_POLICY(obj)                  \
+    OBJECT_CHECK(SecurityPolicy, (obj), TYPE_SECURITY_POLICY)
+
+typedef struct SecurityPolicy SecurityPolicy;
+typedef struct SecurityPolicyClass SecurityPolicyClass;
+
+/**
+ * SecurityPolicy:
+ *
+ * The SecurityPolicy object provides method to define
+ * various security releated policies for guest machine.
+ *
+ * e.g
+ * When launching QEMU, user can create a security policy
+ * to disallow memory dump and debug of guest
+ *
+ *  # $QEMU \
+ *      -object security-policy,id=mypolicy,debug=off \
+ *      -machine ...,security-policy=mypolicy
+ *
+ * If hardware supports memory encryption then user can set
+ * encryption policy of guest
+ *
+ * # $QEMU \
+ *    -object encrypt-policy,key=xxx,flags=xxxx,id=encrypt \
+ *    -object security-policy,debug=off,memory-encryption=encrypt,id=mypolicy \
+ *    -machine ...,security-policy=mypolicy
+ *
+ */
+
+struct SecurityPolicy {
+    Object parent_obj;
+
+    bool debug;
+    char *memory_encryption;
+};
+
+
+struct SecurityPolicyClass {
+    ObjectClass parent_class;
+};
+
+bool security_policy_debug_allowed(const char *name);
+char *security_policy_get_memory_encryption_id(const char *name);
+
+#endif /* SECURITY_POLICY_H */
diff --git a/qemu-options.hx b/qemu-options.hx
index 95332cc..7a65015 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -4027,6 +4027,27 @@ contents of @code{iv.b64} to the second secret
 
 @end table
 
+@item -object security-policy,id=@var{id}[,debug=@var{bool}][,memory-encryption=@var{string}]
+
+Create a security policy object, which can be used to define guest security.
+The id parameter is a unique ID that will be used to reference this
+object when security-policy is applied via -machine argument.
+
+The 'debug' parameter can be defined to tell whether the debugging or memory
+dump is allowed through qemu monitor console.
+
+e.g to disable the guest memory dump
+@example
+ # $QEMU \
+     -object security-policy,id=secure0,debug=off \
+     -machine ...,security-policy=secure0
+@end example
+
+if hardware support guest memory encrytion, then 'memory-encryption' parameter
+can be set to the unquie ID of memory encryption object.
+
+On AMD processor, memory encryption is supported via 'sev-guest' object.
+
 ETEXI